Skip to content →

Naughty GreaseMonkey

Looks like some major ‘sploits have been identified for GreaseMonkey:

“…In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.”

(From [Greasemonkey] greasemonkey for secure data over insecure networks / sites thread on GreaseMonkey developer list)

The general agreement on the list is to totally disable or uninstall GM for the time being… Eeek.

Published in News

2 Comments

  1. Uninstall GreaseMonkey or use version 0.3.5

    Fire Greasemonkey was going to be the headline, but that didn’t seem to be direct enough so I changed to “Uninstall GreaseMonkey” which is Mark Pilgrim’s advice after the recent discovery that Greasemonkey has a major security …

Comments are closed.